This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our privacy policy to learn more.

Advice for mitigating cybersecurity threats

Nearly three-fourths of company finance leaders have become more involved in cybersecurity in the wake of increases in phishing scams and credit card and database breaches, according to a new global survey.

Forty-nine per cent of respondents said their business had fallen victim to a cyberattack in the past two years. Sensitive information, reputation, and business operations were viewed as most at-risk, according to a survey of more than 700 finance leaders from the Association of International Certified Professional Accountants.

Companies are responding by advancing initiatives such as employee awareness of phishing, cybersecurity, and fraud prevention spending, and toughening policies regarding third-party vendors to secure their vulnerabilities. Some businesses are increasing liability insurance to plan for disruptions, and others are adding positions that address cybersecurity threats, the survey said.

Finance executives and cybersecurity experts shared several tips to mitigate threats and breaches:

First Century Bank, which has seven branches in Tennessee, sends phishing emails to employees to see if they will click the links, said Andy Bonner, CPA, CGMA, the bank’s CFO. The approach raises awareness amongst staff that they must closely read emails. “We’re showing them how to hover over links to see if the email is fake, and who sent it,” Bonner said.

Phishing falls under social engineering (con games, deception, trickery); anything used for communication, even Twitter and Facebook, could be a conduit of social engineering and phishing, said Morey Haber, vice president of technology at cybersecurity firm BeyondTrust.

“Mitigating phishing comes down to policies, procedures, and education. There should be authorised channels for communication, and authorised people to make those communications,” Haber said. For example, policies can dictate that an employee who receives a suspect email must validate it with a phone call to the sender, or alert the help desk.

At Micro 100, if network-monitoring software sees encryption activity that indicates a ransomware attack, new firewall software isolates it, and Micro 100 rolls back to a clean version of its data, said Armstrong. “We will shut everything down and just do a reboot from our database to just 15 minutes earlier so that we aren’t trying to replicate data,” he said.

Cybersecurity reports from several sources, including Verizon and cybersecurity company Carbon Black, have found dramatic increases in the occurrence of ransomware attacks and the availability of ransomware software. “Organisational personnel need to maintain awareness of changes in the threat landscape by monitoring public and industry sources of information, and have the flexibility to modify their security program to address these threats,” said Jeff Sanchez, managing director, Data Security & Privacy Practice, at the consulting firm Protiviti.

Consider layered defences and fast cancellation and local replacement of credit cards for credit card breaches:

First Century Bank acts on credit card breaches immediately, Bonner said. “We’re physically cancelling the customer’s credit cards and calling them, telling them to come in,” he said. “It’s not uncommon for us to print 25 to 50 cards a week to replace cards from breaches.”

Large amounts of credit card information need additional layers of protection including vulnerability management, privileged access, log file management, and security information and event management (SIEM), Haber said. Mitigating vulnerabilities, limiting administrative access, managing system logs, and performing real-time analysis of security alerts provide these additional protection layers. The key to mitigating breaches is not to consider each of these security disciplines separately, but rather as an integrated security defence that shares information.

“When you link solutions such as log file management and SIEM to existing solutions like data-leak/data-loss prevention (DLP), you can quickly detect credit card data in transit,” Haber said.

First Century Bank uses consultants to download software to break into its databases, said Bonner. The industry calls this penetration testing, which companies use to find vulnerabilities that attackers could use to gain access.

When you access the database, monitor the network traffic you exchange during the connection, use a proxy server to secure the connection, and connect only inside isolated network zones, which you separate from the rest of the network for security, Haber said.

David Geer is a freelance writer based in Ashtabula, Ohio.

For more on assessing the effectiveness of your organisation’s cybersecurity efforts, check out the American Institute of CPAs’ cybersecurity risk management reporting framework. Also, view this webinar that features a discussion of cyber trends and best practices between cybersecurity expert and Shark Tank star Robert Herjavec and Barry Melancon, CPA, CGMA, the CEO of the Association of International Certified Professional Accountants.

MOST POPULAR

Advertisement

Related Articles

Related Resources

Association of International Certified Professional Accountants

FM is published by the Association of International Certified Professional Accountants, the most influential body of professional accountants, combining the strengths of the American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA) to power opportunity, trust and prosperity for people, businesses and economies worldwide.